Links

OpenSSL tricks – checking https ports

Looking for UNIX and IT expertise? Why not get in touch and see how we can help?

Checking whether or not your web server is running is pretty simple – telnet to port 80, issue a HEAD request, and make sure you get a valid response. What’s less well known is how to test an https session – in this post I’ll go through the nice tool the OpenSSL toolkit gives us.

People think of OpenSSL as a collection of libraries that enable us to build in SSL support to a variety of things – webservers, LDAP servers, etc. OpenSSL also happens to be a toolkit in binary form that’s built along with the libraries, and it’s a pretty powerful bit of kit.

First of all, we can use the s_client functionality to test an https connection:

This allows us to form a proper SSL connection to the web server – we can see the certificate, check it’s validity, and then run our HEAD request check as well. We’re not just doing a basic “are you listening?” check – openssl is forming the same https connection a client would, so this is very handy when checking out certificate mis-matches or bizarre client errors.

Within the same session we can then start talking http and check our server is doing the right thing:

Worst case you can do this testing direct on your web server, but pretty much most machines should have OpenSSL installed, and at a minimum you should look at adding it to your collection of tools on your laptop or memory stick.

Another interesting and lesser known use of OpenSSL is for file encryption.

This is an example using OpenSSL’s enc function to encrypt a text file using the Blowfish cipher:

Using OpenSSL like this for file encryption gives you simple, easy access to quite strong encryption algorithms, but without the hassle of managing key files that you get with PGP – so can be an ideal solution for things like managing sensitive webserver log files.

The last OpenSSL trick to look at is hashing functions – specifically we want to calculate a message digest to check that a file hasn’t been tampered with.

Although outdated md5 is still the most commonly used hash function to check a file’s integrity – most often you’ll be looking at md5 checksums to verify a large file has been fully downloaded, or that it’s not been tampered with.

All we need to do is call OpenSSL with it’s digest function, specify the hash algorithm to use, and then give it a file to check. Classic case here – I want to verify that the checksum for the VPN software I’ve downloaded matches up:

Hopefully this has given you an idea of the power and flexibility of the OpenSSL tookit. A big advantage of utilising OpenSSL in this way is that it can easily be scripted, given you some very powerful tools for carrying out simple sanity checks on remote, publicly accessible servers.